mirror of
https://github.com/pnpm/pnpm.git
synced 2026-07-18 03:32:36 -04:00
A tampered `pnpm-lock.yaml` that strips the `integrity` field from a tarball resolution let the worker download the URL contents and mint a fresh integrity from the unverified bytes. An attacker who could both alter the lockfile (e.g. via a pull request that drops `integrity:`) and serve modified content at the referenced tarball URL could install a tampered package without any error — including under `--frozen-lockfile`. `pkgSnapshotToResolution` now fails closed at lockfile-read time with `ERR_PNPM_MISSING_TARBALL_INTEGRITY` whenever a tarball-shaped resolution (no `type` field — covers plain remote, registry-derived, `file:`, and `gitHosted` entries) lacks integrity. Git-hosted tarballs and `file:` tarballs remain exempt: the commit SHA in a git-host URL and the user-controlled local path already anchor the bytes. The fix sits at the lockfile-read chokepoint every install path flows through (deps-resolver, deps-restorer, graph-builder), so both isolated and hoisted node-linkers are covered. Credit to AutoFyn for finding and reporting the issue.
29 lines
456 B
JSON
29 lines
456 B
JSON
{
|
|
"extends": "@pnpm/tsconfig",
|
|
"compilerOptions": {
|
|
"outDir": "lib",
|
|
"rootDir": "src"
|
|
},
|
|
"include": [
|
|
"src/**/*.ts",
|
|
"../../__typings__/**/*.d.ts"
|
|
],
|
|
"references": [
|
|
{
|
|
"path": "../../packages/dependency-path"
|
|
},
|
|
{
|
|
"path": "../../packages/error"
|
|
},
|
|
{
|
|
"path": "../../packages/types"
|
|
},
|
|
{
|
|
"path": "../../resolving/resolver-base"
|
|
},
|
|
{
|
|
"path": "../types"
|
|
}
|
|
]
|
|
}
|